Skip to content

Commit

Permalink
Add exemple and clarification about encryption with data source (#6808)
Browse files Browse the repository at this point in the history 
* Integrate SSL section to the differents data source

Split SSL section to the different data source

* Add encryption section for the different datasource

Add encryption section for the different datasource

* Remove ampersand for all possible value

Remove ampersand for all possible value for the encryption with MySQL data source

* Fix bad syntax

Fix bad syntax

* Application of the recommendations as suggested by @cwarnermm and @coltoneshaw 

Application of the recommendations as suggested by @cwarnermm and @coltoneshaw
  • Loading branch information
@Gregesp
Gregesp authored Feb 7, 2024
1 parent 282fb44 commit 59bad37
Showing 1 changed file with 76 additions and 9 deletions.
85 changes: 76 additions & 9 deletions source/configure/database-configuration-settings.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,15 +43,45 @@ Data source
| String input. | - Environment variable: ``MM_SQLSETTINGS_DATASOURCE`` |
| | |
+---------------------------------------------------------------+--------------------------------------------------------------------------+
| To enable SSL: |
| |
| - Add ``&tls=true`` to your database connection string if your SQL driver supports it. |
| - Add ``&tls=skip-verify`` if you use self-signed certificates. |
+---------------------------------------------------------------+--------------------------------------------------------------------------+
| **PostgreSQL databases** |
| |
| When **Driver Name** is set to ``postgres``, use a connection string in the form of: |
| ``postgres://mmuser:password@localhost:5432/mattermost_test?sslmode=disable&connect_timeout=10.`` |
| ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test?sslmode=disable&connect_timeout=10`` |
| |
| **To use TLS with PostgreSQL databases**: |
| |
| The parameter to encrypt connection against a PostgreSQL server is ``sslmode``. The library used to interact with PostgreSQL server is |
| `pq <https://pkg.go.dev/github.com/lib/pq>`__. For the moment, it's not possible to use all the values that you could pass to a standard |
| PostgreSQL Client ``psql "sslmode=value"`` `See (SSL Mode Descriptions) <https://www.postgresql.org/docs/current/libpq-ssl.html>`__. |
| |
| Your database administrator must configure the functionality according possible values describe below : |
| |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | Short description of the ``sslmode`` | Value | Example of a data source name | |
| | parameter | | | |
| +========================================+=================+===========================================================================+ |
| | Don't use TLS / SSL encryption against | ``disable`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | |
| | | | ?sslmode=disable&connect_timeout=10`` | |
| | PostgreSQL server. | | | |
| | | | | |
| | (Default value in file ``config.json``)| | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | The data is encrypted and the network | ``require`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | |
| | | | ?sslmode=require&connect_timeout=10`` | |
| | is trusted. | | | |
| | | | | |
| | (Default ``sslmode`` | | | |
| | if the value is omitted) | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | The data is encrypted when connecting | ``verify-ca`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | |
| | | | ?sslmode=verify-ca&connect_timeout=10`` | |
| | to a trusted server. | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | The data is encrypted when connecting | ``verify-full`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | |
| | | | ?sslmode=verify-full&connect_timeout=10`` | |
| | to the trusted server. | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------+--------------------------------------------------------------------------+
| **MySQL databases** |
| |
Expand All @@ -63,7 +93,7 @@ Data source
| |
| "SqlSettings": { |
| "DataSource": |
| "<user:pass>@<servername>/mattermost?charset=utf8mb4,utf8&collation=utf8mb4_general_ci", |
| "<mmuser:password>@tcp(hostname or IP:3306)/mattermost?charset=utf8mb4,utf8&collation=utf8mb4_general_ci", |
| [...] |
| } |
| |
Expand All @@ -72,12 +102,49 @@ Data source
| .. code-block:: none |
| |
| "SqlSettings": { |
| "DataSource": "<user:pass>@<servername>/mattermost?charset=utf8mb4,utf8", |
| "DataSource": "<mmuser:password>@tcp(hostname or IP:3306)/mattermost?charset=utf8mb4,utf8", |
| [...] |
| } |
| |
| **Note**: If you’re using MySQL 8.0 or later, the default collation has changed to ``utf8mb4_0900_ai_ci``. See our `Database Software |
| Requirements </install/software-hardware-requirements.html>`__ documentation for details on MySQL 8.0 support. |
| |
| **To use TLS with MySQL databases**: |
| |
| The parameter to encrypt connection against a MySQL server is ``tls``. |
| The library used to interact with MySQL is `Go-MySQL-Driver <https://pkg.go.dev/github.com/go-sql-driver/mysql>`__. |
| For the moment, it's not possible to use all the values that you could pass to a standard MySQL Client ``mysql --ssl-mode=value``. |
| `See Connection-Encryption Option Summary <https://dev.mysql.com/doc/refman/8.0/en/connection-options.html #option_general_ssl-mode>`__ |
| for a version 8.0 |
| `See Connection-Encryption Option Summary <https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#option_general_ssl-mode>`__ |
| or for a version 5.7. |
| |
| Your database administrator must configure the functionality according possible values describe below : |
| |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | Short description of the ``tls`` | Value | Example of a data source name | |
| | parameter | | | |
| +========================================+=================+===========================================================================+ |
| | Don't use TLS / SSL encryption against | ``false`` | ``"<mmuser:password>@tcp(hostname or IP:3306)/mattermost_test | |
| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=false"`` | |
| | MySQL server. | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | Use TLS / SSL encryption against | ``true`` | ``"<mmuser:password>@tcp(hostname or IP:3306)/mattermost_test | |
| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=true"`` | |
| | MySQL server. | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | Use TLS / SSL encryption with a self- | ``skip-verify`` | ``"<mmuser:password>@tcp(hostname or IP:3306)/mattermost_test | |
| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=skip-verify"`` | |
| | signed certificate against | | | |
| | MySQL server. | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| | Use TLS / SSL encryption if server | ``preferred`` | ``"<mmuser:password>@tcp(hostname or IP:3306)/mattermost_test | |
| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=preferred"`` | |
| | advertises a possible fallback | | | |
| | | | | |
| | unencrypted if it's not advertised. | | | |
| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------+--------------------------------------------------------------------------+

.. config:setting:: database-maxidleconnections
Expand Down Expand Up @@ -516,4 +583,4 @@ Replica monitor interval (seconds)
| dynamically choose a replica if it's alive. | - Environment variable: ``MM_SQLSETTINGS_REPLICAMONITORINTERVALSECONDS`` |
| | |
| Numerical input. Default is 5 seconds. | |
+--------------------------------------------------------+---------------------------------------------------------------------------------+
+--------------------------------------------------------+---------------------------------------------------------------------------------+

0 comments on commit 59bad37

Please sign in to comment.